PT-2026-37422

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An out-of-bounds read exists in the cifs sanitize prepath function. This occurs when the function is called with an empty string or a string consisting solely of delimiters, such as "/"...

Introducing Penetration Test Findings: Unified Offensive Security in Wiz

Streamline pen-testing by unifying findings from bug bounties, manual audits, and Wiz Red Agent into a single, context-rich view...

position can be opened without premium

Lines of code Vulnerability details Description Premium in ParticlePositionManager is used to cover trading fees accrued for the liquidity borrowed. When liquidating, a portion of the premium is also used for the liquidation reward. The issue is that a borrower can open a position without any...

lack of slippage protection for increaseLiquidity, and decreaseLiquidity

Lines of code Vulnerability details Impact Lack of slippage protection for increasing and decreasing liquidity can cause the liquidity provider to provide liquidity at an unfavorable price. Or the borrower to borrow/repay in a manipulated pool. Proof of Concept When adding liquidity eventually...

Memory corruption in getBytes32FromBytes() can likely lead to loss of funds

Lines of code Vulnerability details Description The LibBytes library is used to read and store uint128 types compactly for Well functions. The function getBytes32FromBytes will fetch a specific index as bytes32. / @dev Read the ith 32-byte chunk from data. / function getBytes32FromBytesbytes memo...

Comparing Ether values using equality operators (== or !=) can be very hard to match each other . This will always reverts

Lines of code Vulnerability details Impact Comparing Ether values using equality operators can be very hard to match each other because Ether values are stored in a 256-bit unsigned integer uint256 in Solidity. This means that there are a very large number of possible Ether values, and it is very...

There is no check to see if eth was successfully sent from ValidatorWithdrawalVault to StaderStakePoolsManager.

Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, the user will not receive their share from the validator. Tools Used Manual audit Recommended Mitigation Steps Add to StaderStakePoolManager.receiveWithdrawVaultUserShare function. ifmsg.value == 0 revert...

There is no check to see if eth was successfully sent from PermissionlessNodeRegistry to StaderInsuranceFund.

Lines of code Vulnerability details Impact Eth may not complete successfully. As a result, StaderInsuranceFund will not receive collateral. Tools Used Manual audit Recommended Mitigation Steps Add to StaderInsuranceFund.depositFund function: ifmsg.value == 0 revert Error Assessed type ETH-Transfe...

Tokens can be lost when trying to deposit in SDCaollateral.depositSDAsCollateral() or trying to withdraw SDCaollateral.withdraw()

Lines of code Vulnerability details Impact Some tokens do not return the success of the token submission. Because Since we don’t know for sure how the SD token is implemented, we need to take this into account. Proof of Concept A detailed example is listed in: Tools Used Manual audit Recommended...

Context not implemented as per need of the code

Lines of code Vulnerability details Impact Logical and mathematical flaws might occur due to lack of the check . Proof of Concept As per comment in: //check if the withdrawal occured after mostRecentWithdrawalBlockNumber but no check is involved in the code which would cause mathematical flaws in...

Bytecode Compressor Contract Replay Attack.

Lines of code Vulnerability details Impact Injection of duplicate code. Proof of Concept In the markBytecodeAsPublished function, the contract does not check whether a particular hash has already been added to the storage. The contract only checks the current marker value of the hash, which is se...

[M-04] Balance manipulation when contract is paused

Lines of code Vulnerability details Impact State-changing methods missing the whenNotPaused modifier, is a security hole. Even when contract is paused increaseTotalBalance and decreaseTotalBalance methods can be called internally. Therefore, medium severity matches. Proof of Concept function...

User can send a proposal and instantly take back their collateral, keeping the proposal active without risking any Raes amount.

Lines of code Vulnerability details Description In OptimisticListingSeaport.sol, users call propose to set a new proposal. The pendingBalance is updated immediately for the calling proposer: // Sets collateral amount to pending balances for withdrawal pendingBalancesvaultproposedListing.proposer ...

Invalid tokens can be added to the pair

Lines of code Vulnerability details Impact merkleRoot is a bytes32 and it is compared to bytes230 which makes it possible for a non-zero merkleRoot to be set in the constructor and yet still all tokens will be declared as valid Proof of Concept Tools Used Manual Audit Recommended Mitigation Steps...

Bids are wrongly ordered when prices and quantities are equal.

Lines of code Vulnerability details Description In GroupBuy, when total amount of Raes is filled up with purchases, users start competing with higher price offers. Their bids are laid out in a min priority queue structure implemented in MinPriorityQueue.sol. The docs clearly state that when two...

User loses collateral converted to pendingBalance when cash() or list() is called

Lines of code Vulnerability details Description In OptimisticListingOpensea, there are several functions which update pendingBalances of a proposer: 1. list 2. cash 3. propose Unfortunately, in list and cash the = operator is used instead of += when writing the new pendingBalances. For example:...

Medium: Node runner whitelisting functionality is broken

Lines of code Vulnerability details Description isNodeRunnerWhitelisted manages whitelisting of nodeRunners. If whitelisting is enabled, this mapping is checked in isNodeRunnerValid: function isNodeRunnerValidaddress nodeRunner internal view returns bool requirenodeRunner != address0, "Zero...

Medium: Users receive an incorrect account of their accumulated ETH in GiantMevAndFeesPool.

Lines of code Vulnerability details Description GiantMEVAndFeesPool exposes previewAccumulatedETH for users to view how much ETH they have accumulated through the vault: function previewAccumulatedETH address user, address calldata stakingFundsVaults, LPToken calldata lpTokens external view retur...

It is possible for ETH to be trapped inside LooksRareAggregattor contract

Lines of code Vulnerability details Impact If a user purchases NFTs with ETH or ETH and ERC20 tokens but with limited gas fees, it is possible that all purchase transactions are successful and have some ETH or ETH and ERC20 tokens left. The left ETH may be trapped inside the contract and the user...

Contract LooksRareAggregator does not verify the proxy has code when delegatecall() is called on the proxy

Lines of code Vulnerability details Impact Delegatecall will return ‘True’ for the status value if it is called on an address that is not a contract and so has no code. This can cause bugs if code expects delegatecall functions to return False when they have to perform special logic. If, for some...